Mitsubishi Electric ADVANCE Vol126 Complete

Jun. 2009 / Vol. 126

MITSUBISHI ELECTRIC ADVANCE

Information Security Technology

Cover Story CONTENTS

It is no exaggeration to state that not a day passes Technical Reports where encryption is not used in our daily life. This issue introduces various information security technologies supporting the safety and security of Overview ...... 1 information systems, focusing on encryption by Mitsuru Matsui technology and examples of its application. Current State and Future Trend of Encryption Technology ...... 2 by Mitsuru Matsui • Editorial-Chief Kiyoshi Takakuwa Development of ID-Based Encryption ...... 6 by Katsuyuki Takashima and Tsutomu Sakagami • Editorial Advisors Chisato Kobayashi Research Activities in Quantum Cryptography and Security Kanae Ishida Analysis ...... 9 Makoto Egashira by Toshio Hasegawa and Toyohiro Tsurumaru Koji Yasui Hiroaki Kawachi Masayuki Masuda Hardware Implementation of Cryptographic Algorithm ...... 13 Akio Toda by Daisuke Suzuki Kiyoji Kawai Tetsuji Ishikawa Performance Evaluation of Block Encryption Algorithms on Taizo Kittaka Core 2 ...... 16 Keiji Hatanaka by Junko Nakajima and Mitsuru Matsui Itsuo Seki Kazufumi Tanegashima Information Security for Mitsubishi Digital CCTV System Kazumasa Mitsunaga MELOOKμ ...... 19 • Vol. 126 Feature Articles Editor by Teruyoshi Yamaguchi, Hironobu Abe and Tomohiro Ueda Mitsuru Matsui Our Efforts in PKI Technologies ...... 22 • Editorial Inquiries by Satoshi Takeda, Tadakazu Yamanaka and Hideyuki Miyohara Makoto Egashira Corporate Total Productivity Management & Environmental Programs Fax +81-3-3218-2465

• Product Inquiries Information Technology R&D Center Administration Dept. Fax +81-467-41-2142

Mitsubishi Electric Advance is published on line quarterly (in March, June, September, and December) by Mitsubishi Electric Corporation. Copyright © 2009 by Mitsubishi Electric Corporation; all rights reserved. Printed in Japan.

TECHNICAL REPORTS Overview

Author: Mitsuru Matsui*

Encryption technology is widely utilized in IT systems and products as an indispensable means for protecting personal privacy and corporate confidentiality. We are living in an age where it would be difficult to go about our daily activities without using any encryption even though it may not be directly visible.

The algorithms that support encryption technology are classified according to their properties into various types including common key block encryption, hash functions, and public key encryption. Encryption algorithms are organically integrated to support the security of information communication while sharing their role in the system. Since 1995, we have developed common key block encryption algorithms, typified by MISTY and Camellia, and released their specifications to the public, and we have also promoted activities for their standardization in and outside Japan. Consequently, the International Organization for Standardization (ISO) currently adopts these encryption algorithms as world standards.

In the meantime, cryptanalysis studies aimed at evaluating the security of encryption algorithms have also made remarkable progress. Recent concerns have surfaced about the future security of some encryption systems currently in wide use, such as hash functions. Therefore, the current encryption system is globally shifting to a new cryptography system.

In addition, the mathematical security of encryption as well as the security of its implementation in both software and hardware must be considered in actual systems. In this respect, the point of contact between encryption technology and physics has widened.

Against this backdrop, Mitsubishi Electric is developing encryption algorithms and information security systems that combine high security against cryptanalysis with high practicality such as compact size and high speed. This issue provides a sampling of our efforts

*Information Technology R&D Center Mitsubishi Electric ADVANCE June 2009 1 TECHNICAL REPORTS

Current State and Future Trend of Encryption Technology

Author: Mitsuru Matsui*

1. Introduction Recently, researchers pointed out that several A surprisingly long time has passed since encryp- widely used encryption systems are at risk of being tion technology first came into use in our own backyard. compromised or deteriorating in security, which could Now, ciphers are used in many of the items that we affect the use of encryption from 2010 onward. This is carry around, such as cellular phones, cash cards, train the so-called “year 2010 encryption problem” under tickets, mobile PCs, and electronic car keys. We live in global discussion. an age where almost everyone uses encryption in their Against this backdrop, this paper focuses on the daily lives, often without even realizing it. encryption systems currently used in our own backyard Looking back over the development of encryption and discusses the present state of security evaluation technology, we can see that the purpose of using ci- from a practical viewpoint. Also presented is an over- phers has extended from “confidentiality” for protecting view of new encryption technologies currently attracting confidential information to “authentication” for prevent- attention, and a summary of their significance from the ing spoofing and “integrity” for preventing forgery of viewpoint of convenience and security. information; and that today’s processors and devices with lower power consumption and higher speed have 2. Security of Hash Functions greatly increased the potential for cryptographic appli- 2.1 Hash Function cation. The hash function is a cryptographic component Meanwhile, the advances made in encryption that finds a great number of applications such as for technology also mean advances in cryptanalysis tech- encrypted passwords, digital signatures, and random nology. The scientific community is presently engaged number generation. It is also referred to as a crypto- in research on cryptanalysis with the goal of identifying graphic hash function to clarify the use of encryption. any problems in the current encryption systems. The The role of the hash function is to receive data of consensus of encryption researchers is that advances an arbitrary length as input and “compress” it to gener- made in cryptanalysis technology will mean advances ate a hash value of fixed length. Important security in encryption technology. requirements for the hash function include Academia requires that encryption algorithms have one-wayness and collision resistance. One-wayness universal and extremely high security. Therefore, the means that it is difficult to compute the input backwards relationship between cryptanalysis in an academic from the output, and collision resistance means that it is sense and cryptanalysis in a specific practical applica- difficult to detect two different input messages where tion is not always self-evident. Serving as a bridge the hash values are the same. between them is an important role of encryption re- Figure 1 shows an example of using the hash searchers in companies. function in a digital signature. A signer uses the hash

Public key of signer

Private key of signer

Private Public Signature: Com- key key parison operation operation Hash function

Signer Hash function Hash function Verifier Fig. 1 Example of using the hash function in a digital signature

*Information Technology R&D Center 2 TECHNICAL REPORTS

function to process a message and then perform actually arise in some applications, care must be taken private key operation. In this case, the collision of and it is recommended that these hash functions not be hash functions can be disastrous. That is, the capabil- used whenever possible. ity to compute two different messages, M and M’, The computation amount for obtaining collision of where Hash(M) = Hash(M’) refers to the impossibility SHA-1 is reported to be about 263(3), which is one hun- of the verifier being able to distinguish digital signature dred thousandth of its proper computation amount of M from M.’ Thus, collision resistance is a vital property 280. For SHA-0, the initial version of SHA-1, although its of the hash function. algorithm document differs in only one line from that of SHA-1 (specifically, SHA-1 requires one more rotation 2.2 Examples of hash functions shift operation compared to SHA-0), it is already in a The current most widely used hash function is U.S. state in which collision is easily found. When this fact is Government Standard SHA-1(1). Until SHA-1 was estab- taken into consideration, the risk of SHA-1 being com- lished, the MD series hash functions, MD4 and MD5, promised cannot be disregarded. were in wide use. Even now, some applications use For SHA-2, the likelihood of the collision of algo- MD5 for the purpose of compatibility. However, as rithms being found has not yet been reported, and it is described in this section, the use of the MD series hash considered that there are no problems with SHA-2 even functions cannot be recommended in terms of security. in an academic sense. The hash length of SHA-1 is 160 bits. A newly es- tablished U.S. Government Standard, SHA-2, has a 2.4 Future of hash functions longer hash length. SHA-2 is the generic name for The U.S. National Institute of Standards and several hash functions, and individual algorithms are Technology (NIST), which establishes the Federal called SHA-256, SHA-384, and SHA-512 using the Information Processing Standards, recently announced format in which the hash length follows the name. that the use of SHA-1 for the purpose of digital signatures will be discontinued in 2010, and, consequently, a 2.3 Security problem of hash functions rapid shift from SHA-1 to SHA-2 is currently taking It is generally known that the collision of hash func- place. Even though SHA-2 does not presently pose a tions with a hash length of n bits can be found by a security problem, its structure is similar to that of SHA-1, computation amount of 2n/2. Thus, the upper limit of and thus it is considered that hash functions with a new hash function security becomes 2n/2. However, it was structure should eventually be standardized. recently found that the collision of some hash functions For this reason, NIST initiated a project in 2008 to can be obtained by a computation amount that is select a government standard encryption ASH (Ad- smaller than 2n/2. Examples of actual collision of MD4 vanced Hash Standard) after SHA-2, and a new stan- and MD5 in particular have been reported(2). Although dard is expected around 2012. Therefore, the use of the collision of SHA-1 has not yet been reported, dis- SHA-2 will continue only until the new standard is es- covery is expected within one or two years. tablished. Table 1 is a summary of the present state of secu- There is almost no application where its security is rity of hash functions. The step count here indicates the threatened because of the discovery of one SHA-1 iteration count of the internal basic functions in the hash collision, but the shift to a new hash function is required function. Since MD4 and MD5 collisions are easily in systems where its validity must be guaranteed for a found and the possibility of spoofing and forgery may long time, such as for digital signatures. Thus, for actual systems, the shift to a new hash Table 1 Present state of security of hash functions function should be determined according to whether the Hash Step Block length Standard Collision system is affected by the recently discovered hash length count function collisions and the validity period of the system MD4 128 bit 512 bit 48 RFC1320 × and data. MD5 128 bit 512 bit 64 RFC1321 × SHA0 160 bit 512 bit 80 × 3. Security of Public Key Encryption FIPS180-2 SHA1 160 bit 512 bit 80 Δ 3.1 RSA encryption ISO10118 Developed in the mid-1970s, RSA encryption is Same as SHA256 256 bit 512 bit 64 { one of oldest and most widely used public key encryp- the above Same as tion technologies. Its security is based on the difficulty SHA512 512 bit 1024 bit 80 { the above of a problem involving factorization into prime numbers, ×: Many collisions have already been discovered. and if the key length (composite length) is increased, Δ: High possibility that a collision will be discovered in the near future. cryptanalysis should become exponentially difficult {: There is no indication that a collision will be discovered. (factorization into prime numbers becomes difficult).

Mitsubishi Electric ADVANCE June 2009 3 TECHNICAL REPORTS

RSA encryption generally uses a key length of about 2015 at the earliest. Thus, under the present 1,024 bits, but 2,048 bits or more may be used in a circumstances, as with the hash function, it is recom- particularly important system. The computation amount mended that the key length for RSA encryption be required for 1,024-bit composite factorization into prime shifted to 2,048 bits for applications requiring long-term numbers is about 280, or the same degree as the com- evidence to be secured, such as for digital signatures. mon key encryption of an 80-bit key and the security of However, as previously described, it is not always a hash function with a hash length of 160 bits. easy to shift the key length for RSA encryption, since In RSA encryption, the computation amount re- doubling the length significantly affects the application. quired for encryption and decryption is proportional to the As described below, it will become important to use a cube of the key length. That is, when the key length is mechanism that extends the effectiveness of crypto- doubled, the operation amount octuples. RSA encryption graphic processing to cope with this problem. requires the generation of prime numbers each time a key is generated, and this computation amount is gener- 3.3 Identity-based encryption ally proportional to the fourth power of the key length. Identity-based encryption, in which arbitrary infor- Thus, in an application requiring speed and a system that mation can be set in a public key, was advocated back issues a large amount of digital certificates, the key in 1984. For many years after that, the specific con- length significantly affects the entire performance. struction of secure identity-based encryption was an unresolved problem. Eventually, around 2000, a system 3.2 Present state of security of RSA encryption was invented that is practical and has proven security, The lower limit of the computation amount required possibly the ultimate solution(5)(6). Since then, active for factorization into prime numbers is not known and research and development has been underway around even the fact that it is necessary for exponential time is the world. not mathematically proven. However, factorization into Table 3 lists the relationship between the public prime numbers is a long-standing mathematical prob- key and private key for RSA encryption, the elliptic lem, and from the previous research findings, it is con- curve cryptosystem, and identity-based encryption. The sidered that factorization into prime numbers cannot be public key for RSA encryption and the elliptic curve executed in polynomial time. cryptosystem appear on the left side of the relational This indicates asymptotical evaluation or that the expression and the private key for identity-based en- security increases dramatically when the key is length- cryption appears on the left side. The essential advan- ened, and does not guarantee the computation time of tage of identity-based encryption is that the relationship factorization into prime numbers when the key is fixed is one where computation can start with an arbitrary to a certain length. To determine the potential for indi- public key. vidual composite factorization into prime numbers, researchers are continuously running experiments with Table 3 Relationship between public key and private key multiple computers. As listed in Table 2, records have in public key encryption been broken one after another, with the current world Public Private Relationship between public key and (4) key key private key record at 640 bits . RSA encryp- N P, q N = p × q (p and q: Prime numbers) tion → N cannot be set to an arbitrary value. Table 2 History of world records for factorization into Elliptic curve y x y = x·P (dot: Multiplication of elliptic curve prime numbers cryptosys- by scalars) Number of bits of Date that factorization into prime tem (P: Common public information) composite numbers was announced → y cannot be set to an arbitrary value. Iden- y x x = s·y (dot: Multiplication of elliptic curve 430 April 10, 1996 tity-based by scalars) 463 February 2, 1999 encryption (s: Secret known only by the center) → y can be set to an arbitrary value 512 August 22, 1999 (= identity). 530 April 1, 2003 While one of the purposes of the digital certificate 576 December 3, 2003 used in the current PKI framework is to prevent spoof- 633 May 9, 2005 ing by guaranteeing the relationship between the public 640 November 2, 2005 key and its owner, identity-based encryption has a breakthrough feature that prevents spoofing even with- From these results, it is difficult to predict when a out a certificate since the owner information is embed- 1,024-bit composite would be subjected to factorization ded in the public key itself. into prime numbers, but it is considered that it will be Meanwhile, the PKI framework, which was stan-

4 TECHNICAL REPORTS dardized long ago, has a legal basis, is deeply integrated in our daily life, and the certificate has a revocation mechanism. Therefore, the role of identity-based encryption will depend on future applications; it will not be a rival of PKI. Although the products using identity-based encryption are still low in number, research and development towards higher-speed encryption is also making rapid progress and the application of identity-based encryption to embedded systems is expected.

4. Conclusion This paper explained the present state of security of encryption algorithms and future prospects for encryption technology while giving specific examples. We have proceeded with a comprehensive approach to encryption technology from the development of block encryption and construction of public key encryption and PKI to participation in standardization. We have also been focusing on encryption implementation and quantum encryption application for a long time. Approaches to individual technologies described here are discussed in the papers of this June 2009 issue. For details, refer to the relevant papers.

References (1) “Secure Hash Standard,” FIPS Publication 180-2, NIST (2002). (2) X. Wang et al., “Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD,” Cryptology ePrint Archive 2004/199 (2004). (3) X. Wang et al., “New Collision Search for SHA-1,” CRYPTO 2005 Rump Session (2005). (4) “RSA-640 is factored,” RSA laboratories homepage, http://www.rsa.com/rsalabs/node.asp?id=2964 (5) K. Ohgishi, R. Sakai and M. Kasahara, “Basic consideration on ID key sharing scheme on elliptic curves,” ISEC99-57 (1999). (6) D. Boneh et al., “Identity-based encryption from the Weil pairing,” CRYPTO 2001 (2001).

Mitsubishi Electric ADVANCE June 2009 5 TECHNICAL REPORTS

Development of ID-Based Encryption

Authors: Katsuyuki Takashima* and Tsutomu Sakagami*

1. Introduction 1. Properly ciphertext can be decrypted to the original The recent development of ID-based encryption is plaintext. attracting attention because it enables the use of ID 2. Any private key corresponding to any ID other than information as a public key. After the concept of ID1 cannot retrieve any information about plaintext ID-based encryption was first proposed by Shamir in corresponding to ciphertext addressed to ID1. 1984(1), many years passed before a working system The second condition is the security requirement was implemented by Sakai and Kasahara using their against collusion attacks. ID-based key sharing scheme in 1999(2) and Boneh et al. in 2001(3) using their ID-based encryption algorithm 3. Improved Algorithm for Pairing opera- with proven security. In ID-based encryption, an impor- tion on Elliptic Curves tant role is played by pairing operation on elliptic curves. While various schemes have been proposed to re- In this paper, Section 2 provides a technical overview of alize an ID-based encryption system as described in ID-based encryption; Section 3 introduces our efficient Section 2, all of the practical schemes are based on pairing operation method; and Section 4 discusses an pairing operation on elliptic curves. experimental encrypted mail system. An elliptic curve E is defined by Y2 = X3 + aX + b (where a and b are elements in a finite field). For points 2. ID-Based Encryption P and Q on the curve, algebraic addition P + Q is de- Each ID-based encryption system needs an fined. Also, pairing operation on E is given as a bilinear ID-based private key generator (PKG), which generates map(P,Q) → e(P, Q) where e(P, Q) is in (an extension a private key for an arbitrary ID. It consists of four func- of) the finite field. In the following discussion, specific tions: “parameter generation function” and “private key pairing called “Tate pairing e” is treated. One of the generation function” utilized by the PKG, and “encryp- properties of pairing e is bilinearity, which is the most tion function” and “decryption function” utilized by the important characteristic for ID-based encryption and is users. expressed as: z The parameter generation function uses the bit e(uP, vQ) = e(P, Q)uv length of the key as input data to generate system parameters for use throughout the system and a Due to this bilinearity, ID-based encryption and PKG private key. various other crypto applications can be used in practice. z The private key generation function generates a user Pairing operation largely consists of Miller’s algo- private key from ID information provided using the rithm and final exponentiation. Extensive studies have system parameters and the PKG private key. been made to improve the efficiency of Miller’s algo- z The encryption function generates ciphertext from rithm in relation to the selection of relevant parameters. plaintext using the system parameters and the ID. A commonly used Miller’s algorithm is Algorithm 1. z The decryption function generates plaintext from While a detailed explanation is not included here, com- ciphertext using the system parameters and the user putation according to Algorithm 1 is performed using private key. lines l and v that appear in the addition and doubling Note that the ID, an input to the encryption function, algorithm on the elliptic curve. is the public key. In an ordinary public key encryption Many reports have been published on the im- scheme, a public key certificate, which is the signature proved efficiency of the above algorithm. We have to the public key, is used to ensure the validity of the modified the method proposed by Scott(5) so that the public key for the encryption. In ID-based encryption, security can be flexibly adjusted, using a specific curve however, a public key certificate is not required be- Y2 = X3 + b where p ≡ 1 (mod 3) is the order of the finite cause any ID can be made into a public key, which field, which allows fast computation. This curve has the increases the convenience of this method. map (x, y) → (βx, y), where β is a primitive cubic root of For ID-based encryption to work properly, the 1. Using this map, faster computation can be achieved. abovementioned four functions must satisfy the following two conditions:

*Information Technology R&D Center 6 TECHNICAL REPORTS

Algorithm 1 Miller’s algorithm 4.2 Encrypted mail client Input: Points P and Q on E. Outlook 2003 is used as the encrypted mail client, Output: Miller variable. because of its expandability with add-on features and our previous experience with feature expansion. 1: Select a point S on E. Low-level library software is written in C/C++, and 2: Q’ ← Q + S, T ← P. high-level GUI programs are in VB. 3: i ← ⎣log2(r)⎦ – 1, ƒ ← 1. 4: while m ≥ 0 do 4.3 Data communication between PKG and mail 5: Calculate lines l and v for doubling T. client 6: T ← 2T. The data format for communication between PKG and the mail client is defined using XML because SOAP 2 l(Q')v(S) 7: ƒ ← ƒ . over http/https is used as the low-level protocol. v(Q')l(S) 8: If the i-th bit of r is 1, then 4.4 Encrypted mail data 9: Calculate lines l and v for adding T and P. Encrypted mail transmitted from the encrypted mail 10: T ← T + P. client is formatted using Mitsubishi’s proprietary capsu- l(Q')v(S) lar scheme. This capsular data format, which has long 11: ƒ ← ƒ been studied at our laboratory, allows not only data v(Q')l(S) encryption but the definition of usage restrictions on the 12: end if received data (printable or not, copy/paste allowed or 13: i ← i – 1. not, etc.). 14: end while 15: Output ƒ. 4.5 Future prospects Since ID-based encryption is a new encryption Fig. 1 Miller’s algorithm scheme, related standards are still under consideration by the IETF, including the method for distributing sys- 4. Prototype Encrypted Mail System tem parameters from PKG to the client, and how to An experimental encrypted mail system was con- transfer a private key from PKG to the client. The IETF structed applying the ID-based encryption scheme. We is considering the Cryptographic Message Syntax developed an ID-based private key generator (PKG) (CMS) used in the Secure/Multipurpose Internet Mail and encrypted mail client that is utilized by the users to Extension (S/MIME) with additional data format for transmit/receive encrypted mail. The experimental ID-based encryption (see Reference (4)). Although our system makes it possible to transmit and receive en- own scheme is used in the current implementation, we crypted mail without managing public key certificates or intend to develop a system that allows us to propose advance sharing of passwords. Implementation of this standardization to the IETF and that conforms to the system is described in the following sections. standards.

4.1 PKG 5. Conclusion For ID-based encryption, the keystone of the sys- Regarding ID-based encryption that uses ID infor- tem is PKG. It plays an essential role in the overall mation as the public key and allows easy introduction of operation of the ID-based encryption system including public key encryption function, we proposed an im- distribution of the system parameters pkeyPKG to users proved algorithm and presented an experimental en- and generation of user private keys. In our experimental crypted mail system. system, considering recent business network environ- ments such as the use of firewalls and proxy servers, References the http/https scheme is used as the protocol for en- (1) A. Shamir, “Identity-based cryptosystems and crypted mail clients to access the PKG. In addition, signature schemes,” Crypto 84, pp. 47-53, Springer considering the need for complex data communication Verlag, 1985. between the encrypted mail client and the PKG using (2) K. Ohgishi, R. Sakai and M. Kasahara, “Basic http/https, SOAP is used as the protocol for in- consideration on ID key sharing scheme on elliptic ter-application communication. Since the http/https curves,” IEICE Technical Report, ISEC99-57, pp. protocol is used as the low-level protocol, PKG is im- 37-42, 1999. plemented as a servlet on the Web-based application (3) D. Boneh and M. Franklin, “Identity based encryp- server. tion from the Weil pairing,” Crypto 2001, pp. 213-229, Springer Verlag, 2001.

Mitsubishi Electric ADVANCE June 2009 7 TECHNICAL REPORTS

(4) IETF Internet Draft “Using the Boneh-Franklin and (5) K. Takashima, “Scaling security of elliptic curves Boneh-Boyen identity-based encryption algorithms with fast pairing using efficient endomorphisms,” with the Cryptographic Message Syntax (CMS).” IEICE Trans. on Fundamentals, Vol. E90-A, No. 1, pp. 152-159, Jan. 2007.

Mail server ID-based cryptographic library

Servlet container

Application server

Obtain system parameters Obtain system parameters/private key

Encrypted mail add-on Encrypted mail add-on

Capsule library Capsule library

Mail client library Mail client library

ID-based cryptographic library ID-based cryptographic library

Sender Recipient

Fig. 2 Configuration of prototype ID-based encryption system

8 TECHNICAL REPORTS

Research Activities in Quantum Cryptography and Security Analysis

Authors: Toshio Hasegawa* and Toyohiro Tsurumaru*

1. Introduction compensated by that of the returning signal reflected by Quantum cryptography is a technology that en- the Faraday mirror, resulting in a stable system. This sures ultimate security1). Compared to current cryptog- high stability has made the plug & play system the raphy that could be defeated by the development of an mainstream until now. However, since the light source ultra high-speed computer, quantum cryptography and the detector are both placed on the receiving side ensures secure communication because it is based on in this system, scattered light from the light source the fundamental physical laws. Among the various becomes a high-intensity input, which may increase the quantum information technologies, the most extensive error rate and can be an obstacle for long-distance research is being conducted on quantum cryptography, transmission. In addition, this system is vulnerable to including the development of experimental equipment, one type of implementation attack (so-called “Trojan field tests, and discussions on proposals of new theo- horse attack”), which creates a security issue. For these retical schemes. This paper outlines the domestic and reasons, the one-way setup is more advantageous for overseas trends in research and development on longer-distance experiment and has been widely used quantum cryptography and presents our achievements in recent experiments. In this case, however, active and current efforts toward its practical application. The compensation such as an optical path adjustment is security analysis of quantum cryptography, which is required to maintain the stability of the interferometer. attracting an increasing amount of attention, is also Quantum cryptography experiments using optical discussed. fiber have been actively conducted, with several reports being published including one on a long-distance ex- 2. Research and Development Trends periment over 100 km conducted at Toshiba Research In experiments with quantum cryptography, phase Europe Ltd.2) Field experiments between two remote modulation is often used as the coding method. In this points have also been conducted using existing optical case, an interferometer is configured (for example, a fiber cables, including a 67-km experiment by the Uni- Mach-Zehnder type) and the interference effects are versity of Geneva3), a 96-km experiment by Mitsubishi detected by a photon detector. In actual communication Electric4), and a 125-km experiment by the University of experiments, careful and improved preparation such as Science and Technology of China (USTC)5). Table 1 higher interferometer stability is required. Typical optical shows representative field experiments between two schemes include a one-way setup where the light remote points using the Bennett-Brassard 1984 proto- source is placed on the sending side and the detector col (BB84 protocol, the de facto standard). on the receiving side, and a two-way setup (“plug & In the field test, it is important to establish synchro- play” system) where the light source and detector are nization between the transmitting and receiving equip- both placed on the same side and the photons traverse ment and achieve stability. The timing of photon detec- the same path twice to compensate for fluctuation. In tion must be adjusted to within an accuracy of several the “plug & play” system, when transmitting from Bob hundred picoseconds, which requires optical and timing (the recipient) to Alice (the sender), fluctuating path synchronization as essential functions. For effective use lengths and polarization shifts in the optical fiber is of the transmission line, it is desirable to achieve syn- Table 1 Representative quantum cryptographic system experiments using optical fiber (Field test between two remote points) Research institute Optical Wavelength Transmission Error rate Raw key transmis- (year) scheme (μm) distance (km) QBER (%) sion rate (bps) Geneva (2002) P&P 1.55 67 (Field) 6* 150* Mitsubishi (2004) P&P 1.55 96 (Field) 9.9 8.2 USTC (2004) One-way 1.55 125 (Field) 6 – Toshiba R.E. (2005)* One-way 1.3/1.55 20.3 (Field) 0.87* 430* * Experiment with average photon number of 0.2, double the ordinary case.

*Information Technology R&D Center Mitsubishi Electric ADVANCE June 2009 9 TECHNICAL REPORTS chronization by sending a clock synchronization signal to be approx. 140 km. In fact, an approx. 100-km optical of high intensity, together with a quantum signal at the fiber experiment and 144-km free space experiment single-photon level. When this high-intensity clock syn- have already been reported. chronization signal is transmitted through an optical fiber To achieve secure and long-distance implementa- along with the very weak quantum signal using a wave- tion with equipment simpler than the decoy method, a length division multiplexing (WDM) technique, the tech- “differential phase shift scheme” (DPSQKD protocol) nical challenge is to achieve high-isolation wavelength has been proposed. The equipment setup for this pro- separation. tocol is the same as that for a conventional optical Progress in security analysis also continues, ac- communication scheme (DPSK scheme), resulting in a companied by proposals for new quantum crypto- relatively low-cost system configuration. The basic idea graphic schemes. Formerly, the BB84 protocol and is that quantum mechanical effects clearly appear be- weak laser beam were used for most quantum crypto- cause of the extremely low light intensity, and thus the graphic experiments at research institutes. However, system can be used for quantum cryptography. The this system is vulnerable to certain attacks called PNS greatest difference from the BB84 protocol in terms of (photon number splitting) attacks, which limits the security is that the bit information of the private key is transmission distance to less than 25 km if strict secu- coded into multiple light pulses, and thus the effect from rity standards are applied. To mitigate this drawback, it eavesdropping appears in multiple light pulses and is was, until recently, acceptable in the worldwide aca- easy to detect. The proposers initially claimed that this demic community to apply imperfect standards to prac- system can provide communication distance and speed tical quantum cryptography, which is that “a weak laser exceeding that of the decoy method. However, they did beam having an average photon number of 0.1 or less not rigorously prove system security and discussed it is assumed to be a single photon.” Underlying such an only within the limited conditions of “individual attacks.” assumption was an implicit common understanding: to Based on such evaluation, they reported their experi- achieve unconditional security for long-distance trans- mental results and claimed the world’s longest distance mission, it is essential to have a strict single photon of 100 to 200 km. After that, as a result of rigorous source, but this is difficult to realize. As a result, giving security analysis conducted by Mitsubishi Electric, it priority to the completion of a quantum cryptographic was found that the quantum cryptography in these system, a weak laser has meanwhile been used for the experiments was not secure and that the communica- light source to accelerate research on the detector, tion distance using the DPSQKD protocol only reached optical system and other elements. Once a low-cost 95 km6) in practical experimental setups which are single photon source eventually becomes available, it commonly used today. Since this scheme was found to can be integrated into the system at any time. be unsuitable for long-distance communication, discus- This situation has changed greatly over the last sion is now focused on the security of high-speed several years since the “decoy method,” an improved communication over short distances. BB84 protocol, was proposed. With this method, unconditional security is achieved for long-distance 3. Research and Development at Mitsubi- transmission using a weak laser beam without a single shi Electric photon source. With these developments, mainstream 3.1 Activities up to 2005 research is shifting its focus toward efficiently imple- In 1999, Mitsubishi Electric started R&D activities menting an unconditionally secure quantum crypto- of quantum cryptography, and in 2000, in collaboration graphic system. with Hokkaido University, successfully conducted ex- The basic setup for the decoy method is the same periments on short-wavelength (830 nm) quantum as that for the BB84 protocol except that Alice, the cryptographic communication7). In 2001, Mitsubishi was sender, changes the intensity of each light pulse inten- awarded a 5-year commission under the NICT (National tionally and randomly. In addition, the distribution of Institute of Information and Communications Technol- light intensity will not be disclosed until Bob, the recipi- ogy) Project I entitled “Research and Development on ent, receives the light. Under this condition, Eve, the Quantum Cryptography,” together with NEC and the eavesdropper, is forced to attack without any knowl- University of Tokyo. In this project, Mitsubishi was re- edge about the intensity distribution. Therefore, if an sponsible for “single photon generation,” “single photon attack is made, Bob finds statistical inconsistency in the detection,” “random number generation” and “technol- signal detection rate. This enables accurate detection of ogy for the quantum cryptographic key distribution the abovementioned PNS attacks and thus achieves system.” Since then, our achievements include more secure quantum cryptography. The unconditional 1,550-nm high-performance single-photon detectors security of the decoy method has been theoretically (dark count probability of approx. 10-6, detection effi- proved, and the achievable long distance is estimated ciency of approx. 20%) and experiments using these

10 TECHNICAL REPORTS detectors on an 87-km long-distance quantum crypto- gate control and feedback control by monitoring the graphic communication system8) in 2002, and practical clock and polarized state information contained in the field experiments using the existing 96 km of optical classical signal. A very weak light at the single photon fiber between Osaka and Kyoto in 20044). In the final level is used for the quantum cryptographic communi- year of the project, we also developed and functionally cation, whereas a high-intensity signal at the classical tested WDM quantum cryptographic equipment using 4 optical level is used for the control of the communica- wavelengths to achieve higher speed. In addition to tion equipment. The conventional way to provide a these achievements, Mitsubishi Electric also proposed transmission line for this classical signal is to use a a “circular-type quantum key distribution scheme” in the physically separated line or to separate the classic and area of new optical scheme protocol studies, and con- quantum signals using WDM on a physically common ducted experiments on the proposed system to demon- line. However, the former poses a problem with facility strate transmission speed faster than that in conven- cost, and the latter involves the difficult issue of sepa- tional methods as well as multi-user communication rating the quantum and classical signals. Therefore, we capability9). Mitsubishi Electronic has actively partici- are striving to develop such equipment that transmits pated in international exhibitions (ITU Telecom World and separates quantum and classical signals by WDM 2003, 2006; RSA Conference 2005 Japan, etc.), pre- and time-division multiplexing (TDM) on a physically senting our quantum cryptographic system and quan- common transmission line. The equipment using TDM tum encrypted secure voice telephone / videophones as utilizes the classical control signals to compensate for practical application examples. the optical fiber propagation characteristics (polarized state fluctuation, etc.) and to transmit the clock signal. 3.2 Research and development for practical appli- We also plan to transmit path control information with a cation view to networking applications. In 2006, we were awarded a 5-year commission under the NICT Project II entitled “Research and De- 3.4 Development of high-speed optical system velopment for Practical Applications of Quantum Cryp- equipment tography.” In this project, we have been working on the Combining the multiplex transmission of quantum development of high-speed and high-stability quantum and classical signals and the high-speed single-photon transmission technology, and key management and detection technologies, we studied an experimental security evaluation technology, which will be required to optical system required to achieve one of the final realize a quantum cryptographic network. The quantum objectives of 1 Mbps at 50 km (see Fig. 1). This equip- cryptographic equipment under development has a ment features high-speed quantum cryptography using practical performance target: communication distance applicable protocol based on the BB84, decoy or of 50 km and speed of 1 Mbps, and the following fea- DPSQKD protocol, light source repetition rate at the tures: (1) Time-division transmission of the classical GHz level, and transmission distance of several dozen signal and the quantum signal (the classical signals are km. We also studied circuit-board partitioning by system high intensity pulses, that is, they have a light strength functions that provides efficient configuration of the similar to those used in conventional optical communi- optical and electronic control system. Specifically, we cations, and they carry the system clock information further divided the transmitting and receiving functions and the information to compensate for fluctuation in the and adopted AdvancedTCA to configure the cir- polarization. On the other hand, the quantum signals cuit-board modules. The quantum and classical light are extremely weak laser pulses at the single-photon sources are designed using DWDM CW DFB laser level which carry secret key bits.) (2) High-speed modules with wavelength of 1550.918 nm (classical equipment with light source repetition rate at the GHz signal) and 1549.315 nm (quantum signal), and driving level, and transmission distance of several dozen km frequency up to ν = 1 GHz. To separate wave- using BB84, decoy, or DPSQK quantum cryptographic length-multiplexed signals, DWDM DEMUX is designed protocol. for channel isolation between two signals of 80 dB or greater, which will be tested in the experimental system 3.3 Development of multiplex transmission of to determine if the weak quantum signal is accurately quantum and classic signals separated from the strong classical signal. The key technology is the separation of multiplexed quantum and classical signals using 3.5 Security analysis technology time-division multiplexing. Specifically, we have devel- In parallel with the experiments, Mitsubishi Electric oped and implemented a method to compensate for has also been conducting theoretical studies on system environmental temperature change and polarized state security. Recent achievements, as described at the end fluctuation, which is achieved through synchronized of Section 2, include a proposal related to a new attack

Mitsubishi Electric ADVANCE June 2009 11 TECHNICAL REPORTS

method against DPSQKD protocol and security analysis and protocols that are proven to have unconditional results based on the proposal6). Theoretical study is security are in the minority. It is important to understand also being conducted in collaboration with Hokkaido the trend in security analysis and we will continue to University on the decoy method, and, in 2007, we de- strive toward our own research goals. veloped a new mathematical analysis method that Part of this work was supported by the project precisely estimates the upper and lower bounds of the “Research and Development on Quantum Cryptogra- “yield” parameter10). This achievement is expected to phy” of National Institute of Information and Communi- further enhance the communication distance and speed cations Technology as part of Ministry of Internal Affairs of the decoy method. and Communications of Japan’s program. Theoretical studies have also been conducted on general quantum cryptographic protocols including References authentication and signature not limited to quantum key (1) Edited by Sasaki et al., Quantum Information Com- distribution. Achievements in this area include quantum munication, Optronics Co., Ltd. (2006) bit-string commitment11). (2) C. Gobby et al., Appl. Phys. Lett. 84, 19, 10 (2004) (3) D. Stucki et al., New J. Phys. 4, 41 (2002) 4. Summary and Future Prospects (4) T. Hasegawa et al., CLEO/Europe-EQEC2005, In this paper, we presented research and devel- EH3-4, Munich (2005) opment trends and Mitsubishi Electric’s achievements (5) X. Mo et al., Opt. Lett. 30, 2632 (2005) and current R&D status on quantum cryptography. We (6) T. Tsurumaru, Phys. Rev. A 75, 062319 (2007) also described the security analysis technology. Such (7) T. Hasegawa et al., IEICE E85-A No. 1, 149 (2002) theoretical analysis is important because quantum (8) T. Hasegawa et al., CLEO/QELS2003, QTuB1, cryptography carries meaning only when its security is Baltimore (2003) theoretically proven, and also for promoting steady and (9) T. Nishioka et al., IEEE PTL 14, 4 (2002) efficient development of actual quantum cryptographic (10) T. Tsurumaru et al., Phys. Rev. A 77, 022319 equipment. Even today, the search for a new method (2008) continues and in addition to the decoy method and (11) T. Tsurumaru, Phys. Rev. A 71, 012313 (2005) and DPSQKD protocol as presented in this paper, new 74, 042307 (2006) protocols such as the six-state protocol and continu- ous-variable protocol are being proposed. However, proof of security has not kept pace with new proposals,

PLC Quantum signal WDM DEMUX

Light source PM ATT DCM

Classical signal

Light CLK pulse source modulation ATT

CLK Quantum signal PLC WDM DEMUX APD1

PM APD2 Polarization Transmission line controller (Optical fiber) CDR & polarization CLK APD control signal AMP monitor and generation control CTRL Classical signal APD output signal conversion

Fig. 1 Basic configuration of the quantum cryptographic system under development PLC: planar light circuit, PM: phase modulator, ATT: optical attenuator, CLK: clock, WDM MUX: wavelength division multiplexing, DCM: dispersion compensation module, AMP: optical amplifier, CDR: clock data recovery, APD: avalanche photodiode

12 TECHNICAL REPORTS

Hardware Implementation of Cryptographic Algorithm

Author: Daisuke Suzuki*

1. Introduction this algorithm, and thus the same circuit can be used Extensive research has been conducted on the for input of different bit lengths. hardware implementation of high-speed public key cryptosystems represented by RSA cryptography. In particular, various circuit architectures have been proposed for the processing of Montgomery multiplication(1). The Virtex-4 series and Spartan-3A DSP series released by Xilinx, Inc., a FPGA vendor, are equipped with a functional block (instead of a conventional multiplication unit) as a hardware macro, and they support dynamic changes in multiple-pattern multiplicative summation (henceforth called the “digital signal processing (DSP) function”). Some applications of this DSP function have already been reported, such as fast finite impulse response (FIR) filters and image processors; however, we believe that no cryptographic algorithms using this function have yet been reported, with the exception of the simple usage of such. This paper describes a modular exponentiation processing method and circuit architecture that can derive the maximum performance from this DSP function.

2. Processing Method Montgomery multiplication is a high-speed processing method for modular exponentiation, which is heavily used in the field of public key cryptosystems. While Montgomery multiplication has many variations, we chose a processing method described in Ref. (2) and expanded its processing unit and flow. We also enhanced the FPGA hardware macros to provide more efficient usability. Figure 1 shows this processing method, which features the following three key im- provements. First improvement: For each multiple-length addition operation, additions for 2 blocks (34 bits) are performed in one loop, whereas each multiple-length multiplication operation is performed in a half loop count (αr/2). This improvement, with the DSP48 being oper- Fig. 1 Montgomery multiplication algorithm for Virtex-4 ated at the maximum frequency and other user logics at half frequency, eases the timing constraint on the cir- 3. Hardware Configuration cuits that are configured without using hardware mac- Figure 2 shows the basic circuit that performs each ros, and allows the configuration of realistic circuits, processing task of Algorithm 1. Input A and M" are while maintaining overall throughput. Second: By intro- entered every 34 bits (2 blocks) at a time from left to ducing branching control, Algorithm 1 can be processed right and stored in each specified DMEM. Only A is in pipeline without any stalling in the process flow. updated for each Montgomery multiplication. DMEM is Third: The number of DSP48 units used, α, is fixed in implemented using a single port memory. Once aj (0 ≤ j

*Information Technology R&D Center Mitsubishi Electric ADVANCE June 2009 13 TECHNICAL REPORTS

≤ r–1) is stored in the leftmost DMEM, the circuit con- 4. Hardware Performance nected to it begins processing according to Algorithm 1. This section describes the characteristics of a pro- The DSP48 that performs multiplication of the least totype circuit for modular exponentiation based on the significant block (MUL_AB and MUL_MQ) switches the Montgomery multiplication circuit shown in Fig. 2. In calculation type depending on whether the carry bit is Table 1, a comparison is made between the results of on or off. the circuit placed and routed using ADD_PU is performed by the circuit consisting of XC4VFX12-10SF363 as the target device and the the adders and LA1s (Latency Adjuster) shown at the previous research results. To the best of our knowledge, center in Fig. 2. First, two blocks of the result from this is the world’s fastest processing performance for a MUL_AB calculation are provided at the same time modular exponentiation using FPGA. This circuit can be from the DSP48 and entered into the adder at the implemented on FPGA having the smallest logic scale negative edge of the clock (clk1). At this time, by reset- among the Virtex-4 series. In addition, modular expo- ting all other inputs to zero, the calculation result from nentiation from 512 to 2048 bits can be performed on MUL_AB is stored in LA1 as it is. Then the calculation the same circuit, providing high scalability. result from MUL_MQ is added to the calculation result from MUL_AB already stored in LA1. At this time, the Table 1 Characteristics of prototype circuit and com- difference between the input timing of MUL_AB and parison with previous research results Proposed MUL_MQ is r/2 cycle. Carry propagation from the addi- Architecture Reference(4) Reference(5) tion is one of two cases: propagation to the same adder method or to the next adder. For the circuit shown in Fig. 2, a Target device XC4VFX12-10 XC2V3000-6 XC40250XV flip-flop to store the carry is implemented for each case Scalability Y N N to improve the timing. 512 bit MEX time 0.26 ms (max) 0.59 ms (avr) 2.93 ms (max) 3937 slices 8235 slices The circuit shown at the bottom in Fig. 2 performs 512 bit MEX area 3413 slices ADD_VS calculation. This circuit performs simultaneous + 17 DSP48 + 32 multipliers 1024 bit MEX time 1.71 ms (max) 2.33 ms (avr) 11.95 ms (max) addition of two blocks, s(i, 2j + 1) and s(i, 2j + 2), which are 3937 slices 14334 slices respectively provided from LA1 and LA2 at the timing 1024 bit MEX area 6636 slices when the calculation result is provided from ADD_PU. + 17 DSP48 + 62 multipliers For more details about the hardware configuration, see * MEX: Modular exponentiation Ref. (3).

Fig. 2 Montgomery multiplication circuit

14 TECHNICAL REPORTS

5. Conclusion This paper presented hardware implementation technology for cryptographic algorithms using an example of high-speed hardware for public key cryptosystems. In addition to this example, we have also developed block cipher and stream cipher circuits, a hash function circuit, and other hardware setups required for the construction of security systems. We will strive to develop fully optimized applications using these hardware implementation technologies.

References (1) Montgomery, P.L.: Modular Multiplication without Trial Division. Mathematics of Computation, Vol. 43, No. 170, pp. 519-521, 1985. (2) Orup, H.: Simplifying quotient determination in high-radix modular multiplication, Proc. of the 12th Symposium on Computer Arithmetic, pp. 193-199, 1995. (3) Suzuki, D.: How to Maximize the Potential of FPGA Resources for Modular Exponentiation. CHES 2007, LNCS, Vol. 4727, pp. 272-288, 2007. (4) Blum, T., Paar, C.: High-Radix Montgomery Modu- lar Exponentiation on Reconfigurable Hardware, IEEE Transactions on Computers, Vol. 50, No. 7, pp. 759-764, 2001. (5) Tang, S.H., Tusi, K.S., Leong P.H.W.: Modular Exponentiation using Parallel Multipliers, FPT 2003, pp. 52-59, 2003.

Mitsubishi Electric ADVANCE June 2009 15 TECHNICAL REPORTS

Performance Evaluation of Block Encryption Algorithms on Core 2

Authors: Junko Nakajima* and Mitsuru Matsui*

1. Introduction now performed online, similar to the Pentium III, not This paper presents the high-speed software en- using the trace cache. The Core 2 has also enhanced cryption technique, “bit-slice implementation,” on Intel’s the fusion functions used in the Pentium M, and fused new Core 2 processor, which is its first mi- μ-ops have become quite similar to the macro-operation cro-architecture platform. Until now, the performance of of the Athlon 64. leading-edge processors has been evaluated and Table 1 shows a listing of instruction latency and compared by implementing encryption algorithms and throughput obtained by experiment. It is evident from various benchmark tests. From the standpoint of en- this table that the throughput of logic operation instruc- cryption implementation, it is important to study the best tions, which was below 2 μ-ops/cycle with the x64 implementation method together with platform migration instructions of the Pentium 4, is now improved to 3 because the execution speed of the same program can μ-ops/cycle with the Core 2; and the latencies of right change completely depending on the architecture. shift and left/right rotate instructions, which were ex- In 1997, Biham proposed bit-slice implementation, tremely long with the Pentium 4, are now much im- where multiple blocks are processed in parallel by proved with the Core 2. In addition, for the XMM in- assuming a single software instruction with n-bit-long structions, throughputs of register-to-register move and registers as n-sets of hardware logic gates. Therefore, logic operation instructions are improved from 1 to 3; when this method is used to implement an encryption and the latencies are also improved, achieving nearly algorithm on a small-sized hardware and target proc- the same performance as x64 instructions. In contrast, essor with many registers, faster speed is expected. the greatest performance bottleneck for the Core 2 This method has an additional advantage of providing seems to be caused by the instruction fetch being security against side-channel attacks such as cache limited to 16 bytes per cycle. To speed up a program, attacks because there is no need to refer to the tables certain techniques are required, such as making the depending on the key value. instruction length as short as possible. Until now, bit-slice implementation has demon- Table 1 Instruction latency and throughput strated its effectiveness on reduced instruction set computer (RISC) processors, whereas PC (x86) processors are considered to be unsuitable for this implementation because of the increased frequency of memory access due to few available registers, resulting in a bottleneck to the execution speed. This time, we focused on the new feature of the Core 2, that is, the significantly enhanced single instruction multiple data (SIMD) instructions compared to the Pentium 4 and Athlon 64, which is expected to improve the performance of bit-slice implementation. Consequently, we studied the software implementation and speed-up techniques of block encryption schemes (MISTY, KA- SUMI, AES, and Camellia) taking into account the processor architecture in a 128-bit environment.

2. Core 2 Architecture To reduce power consumption, the design concept of the Core 2’s architecture was shifted to increasing 3. MISTY and KASUMI scalability rather than frequency, resulting in 14 pipeline KASUMI is a 64-bit block encryption algorithm stages. This number is less than half that of the con- used as the standard in the Universal Mobile Telecom- ventional Pentium 4 core (Prescott core). Decoding is munications System (UMTS) / Global System for Mobile

*Information Technology R&D Center 16 TECHNICAL REPORTS

Communications (GSM). The design of KASUMI is 4. AES and Camellia based on MISTY and because its structure is suited for Both AES and Camellia use linearly equivalent hardware, faster speed by using bit-slice implementa- S-boxes for the inversion functions of GF (28). The tion can be expected. The left side of Fig. 1 shows the number of instructions for this calculation has a domi- FI function of KASUMI, and the right-hand side shows nant influence on the overall calculation speed. From that the number of instructions required by the FI func- the standpoint of bit-slice implementation, the smallest tion can be reduced by an equivalent transformation. S-box we are aware of uses subfields, where the inver- Both MISTY and KASUMI have two kinds of S-boxes, sion functions of GF (28) are configured by the opera- S7 and S9, within the dominant inner function FI. While tions of GF (24), and the operations of GF (24) is in turn MISTY has three S-boxes (S7 – S9 – S7), KASUMI has configured by the operations of GF (22)[5]. In the case of two of each kind, for a total of four S-boxes, resulting in bit-slice, there are approx. 200 instructions for one a difference in the total number of table references S-box, and considering that AES and Camellia respec- (KASUMI = 96, MISTY = 76), which becomes the de- tively refer to the S-box 160 and 144 times per one fining factor for KASUMI’s slower encryption speed block, the total processing amount for the S-box, e.g. compared to MISTY. On the contrary, KASUMI’s key for 128 blocks of parallel processing, would be 250 and scheduling time is much shorter than the encryption 225 instructions per one block, respectively, which time because bit-slice implementation does not require accounts for approx. 70% of the overall instructions. A any shift/rotate operations. Bit-slice implementation of performance comparison between the Core 2 and KASUMI provides an encryption speed 4 times faster Pentium 4 in normal implementation shows that the and key scheduling speed at least 30 times faster than Core 2 requires a slightly smaller cycle count per block, with normal implementation (Table 2). but a comparison with the Athlon 64 still shows a significant performance difference. The reason for the difference is that the Athlon 64 can perform 64-bit memory read operations twice per cycle compared to only once per cycle for the Core 2. In contrast, in the case of bit-slice implementation using 128-bit XMM registers, the effect of enhanced SIMD instructions for the Core 2 becomes evident. This implementation provides more than 50% faster speed compared to that with normal implementation, and performance that is twice as fast as that with bit-slice implementation using 64-bit general registers, which directly reflects the register size being doubled from 64 bits to 128 bits. Considering that the speed of the Pen- tium 4 and Athlon 64 with bit-slice implementation is 50% slower than with normal implementation, the performance improvement of the Core 2 SIMD instructions is remarkable. Until now, Camellia’s performance has never approached that of AES on any platform in nor-

mal implementation, but the implementation results for Fig. 1 Equivalent forms of the FI function of KASUMI Camellia show that with the two-block parallel imple- Table 2 Implementation performance of KASUMI and Table 3 Implementation performance of AES and Camellia MISTY1 with 128-bit key

Mitsubishi Electric ADVANCE June 2009 17 TECHNICAL REPORTS mentation on the Core 2, Camellia (Table 3; Double) surpasses AES (Single). With bit-slice implementation, Camellia is faster than AES on any processor, which is mostly attributed to the fact that Camellia has 16 units fewer S-boxes. Bit-slice operations are performed in special data format, which necessitates format conversion to maintain compatibility. This conversion requires the reposi- tioning of all data bits and hence considerable computation time, which was one of the factors hindering practical application of the bit-slice technique. This time, bit-slice implementation on the Core 2 has achieved the performance of one cycle or less per byte, which is much faster than with normal implementation even when pre- and post-format-conversion time is added.

5. Conclusion In this paper, the superior performance of Intel’s latest processor, Core 2, in particular its SIMD instructions, was described from the viewpoint of bit-slice implementation of block encryption algorithms. It was clearly shown that AES performance with bit-slice implementation on a PC processor is higher than that with normal implementation. This fact, together with the security advantage of the bit-slice technique against implementation attacks such as cache attacks, may create a turning point in discussions on the application of public key cryptography (such as usage mode).

References (1) M. Matsui: New encryption algorithm MISTY (1997) (2) 3GPP TS 35.202 v6.1.0: 3G Security; Specification of the 3GPP Confidentiality and Integrity Algo- rithms; Document 2: KASUMI Specification (2005) (3) K. Aoki, et al.: The 128-Bit Block Cipher Camellia (2002) (4) Federal Information Processing Standards Publica- tion 197: Advanced Encryption Standard (2002) (5) M. Matsui: How Far Can We Go on the x64 Proc- essors? (2006)

18 TECHNICAL REPORTS

Information Security for Mitsubishi Digital CCTV System MELOOKμ

Authors: Teruyoshi Yamaguchi*, Hironobu Abe* and Tomohiro Ueda**

1. Introduction other media as encrypted. Since the video images are Mitsubishi Electric has developed a new digital encrypted when stored, they cannot be directly viewed closed-circuit television (CCTV) system MELOOKμ with an ordinary file viewer unless a legitimate method featuring the simple introduction of a video surveillance is used. As a result, even if a DVD or HDD is stolen, the system, and an easy-to-use video information manage- stored video information is protected. (Fig. 2) ment system. MELOOKμ not only records and displays high-definition images, but also protects against eavesdropping of stored images through the use of Mitsubishi Electric’s encryption technology MISTY. This paper presents the security features of MELOOKμ.

1. Mitsubishi Digital CCTV System MELOOKμ 1.1 Configuration of MELOOKμ The digital CCTV system MELOOKμ consists of a mega-pixel recorder, up to eight mega-pixel cameras, and up to eight units of DIGITAL MELOOK series network cameras. The mega-pixel recorder is connected with these cameras to collect, store and display video Fig. 2 Image data encryption in MELOOKμ images. The mega-pixel cameras are directly connected to the mega-pixel recorder, whereas the DIGITAL In addition, the mega-pixel recorder performs user MELOOK series network cameras are connected to the authentication to control access. The access control recorder via a switching hub. Video images stored in the function restricts user’s operations. Access to the DVD recorder can be copied to DVDs as required. (Fig. 1) data is available by proprietary viewer software, which is included when the video images are copied to DVD. User authentication is also performed when a DVD is played back. (Fig. 3)

Fig. 1 Mitsubishi digital CCTV system MELOOKμ

1.2 Security features of MELOOKμ MELOOKμ encrypts captured video images in real time before storing them to protect the accumulated data. When encrypted video images are displayed, they are decrypted in real time. They are copied to DVD or Fig. 3 Security functions in MELOOKμ

*Information Technology R&D Center **Communication Networks Center Mitsubishi Electric ADVANCE June 2009 19 TECHNICAL REPORTS

2. Security Technologies in MELOOKμ crypted image encryption key, encrypted images, and 2.1 Encrypted storage viewer software are copied. When the DVD is replayed, In a digital CCTV system, a large amount of video the viewer software is activated, and then the password data captured by camera must be stored and displayed is entered. If the entered password is correct, the image at a high speed. MELOOKμ encrypts mega-pixel quality encryption key is decrypted, then the encrypted images (SXVGA, Super Extended Video Graphics Array) video are decrypted and played back. If the password is data for storage, and decrypts it for display. As a con- invalid, the image encryption key cannot be decrypted, sequence, high-speed encryption and decryption are inhibiting the playback of encrypted images. (Fig. 4) required. The MELOOKμ requires a cryptographic performance of 80Mbps1 at maximum. In addition, MELOOKμ must perform other processing tasks besides cryptographic processing. Therefore, the load of cryptographic processing should be kept as low as possible. Generally, it is necessary to use dedicated hardware to meet these requirements. To realize low-cost cryptographic equipment by achieving hardware-level performance using a software process, Mitsubishi Electric has developed a new cryptographic algorithm, BROUILLARD, which belongs to the MISTY family and provides both high-speed processing and sufficient security. BROUILLARD achieves high-speed and secure operation by means of random access within a large memory space. BROUILLARD realizes an encryption Fig. 4 Encryption key management in MELOOKμ speed of 8 Gbps through implementation on the Pen- tium 4 (3 GHz). 2.3 User authentication MELOOKμ applies BROUILLARD to realize an en- The mega-pixel recorder performs access control cryption speed of 80 Mbps through software. by verifying the password provided by the user. Table 1 shows the user levels and operations per- 2.2 Encryption key management mitted for each level. Assistant level allows only live The mega-pixel recorder encrypts and accumu- image surveillance. Manager level allows, in addition to lates video image data in mass storage, and strictly live image surveillance, playback of accumulated im- controls the key information used for encryption as well ages, and camera manipulation. Owner level is the as provides authorized users with easy-to-use key highest authorization level and allows changes to vari- information. ous settings and copying of DVDs. Operations at the The mega-pixel recorder randomly generates im- assistant level do not require a password, whereas age encryption key when the system is initially booted operations at the manager and owner levels require up, and thus the probability that two recorders have password verification. identical key is extremely low. With this mechanism, video images encrypted on a certain recorder cannot be opened on other recorders. The image encryption key Table 1 User’s authority and available operations generated in this manner is encrypted by multiple parameters and stored in multiple non-volatile areas. The encryption keys stored in the non-volatile areas are all encrypted and thus secure against illegal extraction of data from non-volatile areas. When the mega-pixel recorder is booted up in a normal mode, encrypted image encryption key is re- trieved from the system area and decrypted. Using the decrypted image encryption key, the video images are actually encrypted. When a user copies their images to DVD, the en-

1 Including both encryption and decryption

20 TECHNICAL REPORTS

A password for DVD playback is defined when the owner copies video images to DVD. When the DVD is played back, the specified password must be entered to play back the video images. A manager level or owner level password can be changed after it is authenticated at each proper level.

3. Conclusions This paper introduced the security features of the Mitsubishi digital CCTV system, MELOOKμ. In the future, MELOOKμ is expected to be equipped with additional features including Web distribution functions, and backup HDD expansion capability.

Mitsubishi Electric ADVANCE June 2009 21 TECHNICAL REPORTS

Our Efforts in PKI Technologies

Authors: Satoshi Takeda*, Tadakazu Yamanaka* and Hideyuki Miyohara**

1. Introduction including standardization activities at ECOM and JA- A digital signature is an effective means of authen- HIS. ticating the identity of an electronic document’s author or preventing the illegal alteration of an electronic 2. Trend of Standardization document. The digital signature can be verified through 2.1 Long-term signature format a digital certificate, which is valid for a maximum period Digital signature technology allows authentication of five years, as defined by the law. However, many of a signer’s document, where a digital signature is electronic documents must be stored for longer than 5 generated using a digital certificate and corresponding years, as in the case of receipts and financial state- private key issued by the user’s trusted Certificate ments that have a legally required retention period of 7 Authority (CA), and verification is performed using the years. As a consequence, an issue arises when the digital certificate and public key. The digital signature 5-year validity period for a digital certificate has expired, can be verified by confirming that it is within the valid and the digital signature cannot be verified. period of the digital certificate and has not been invali- Long-term signature technology ensures the valid- dated. To ensure the validity of a digital signature, it is ity of a digital signature even after the certificate’s pe- necessary to prove that it existed when the signer’s riod of validity. This technology is standardized by the document was created. The creation time of a digital Internet Engineering Task Force (IETF) and the Euro- signature can be set as one of the attributes of the pean Telecommunications Standards Institute (ETSI). signature. However, the time set will be the time infor- The Next Generation Electronic Commerce Promotion mation provided by the equipment that generates the Council of Japan (ECOM) proposed the standardization electronic signature, which may create a reliability issue. of long-term signature formats under the Japanese It is also necessary to be able to check the validity of Industrial Standards (JIS), and it was officially an- the signature even after the certificate expires or is nounced as a JIS standard in March 2008. ECOM invalidated. To deal with these issues, the following formulated a long-term signature profile and conducted requirements must be satisfied: interoperability tests based on the formulated profile z Identify the time when the signature was applied. and involving multiple vendors. Meanwhile, the Japa- z Identify the evidence information required for nese Association of Healthcare Information Systems re-verification. Industry (JAHIS) is developing a guideline and working z Enable the detection of illegal alteration of electroni- on the standardization of electronic archiving and digital cally signed document and information required for signatures for healthcare documents to ensure the re-verification. interoperability of healthcare information systems. z Retain electronically signed document and informa- Mitsubishi Electric has been participating in the tion required for re-verification, with the detection of ECOM and JAHIS committees and is actively involved illegal alteration enabled. in the formulation of a long-term signature profile and The long-term signature format satisfies the above interoperability tests. This paper presents the details requirements, and ensures the validity of a digital sig- and development status of some of Mitsubishi Electric’s nature “even after the digital certificate has expired, or efforts in Public Key Infrastructure (PKI) technologies, even if the old encryption algorithm has been compro-

Timestamp Certificate Certificate Signer’s Signed Digital and and Archive Archive over digital timestamp timestamp document attributes signature signature revocation revocation references values

Fig. 1 Long-term signature format

*Information Technology R&D Center **Information Security Consulting & Supporting Center 22 TECHNICAL REPORTS mised.” As shown in Fig. 1, in addition to the signer’s hcRole to determine if the signer is a licensed medical document and digital signature (ES), the long-term doctor or a management representative of a medical signature format data includes a timestamp over the institution, such as a hospital director. digital signature that indicates the signing time (ES-T), With regard to the validity of a certificate, in order certificate and revocation references for the digital to indicate that the digital signature was valid at the certificate and revocation information (ES-C), certificate time that it was timestamped, it is specified that the and revocation values used as verification information authenticity of the information required to verify the for the digital signature and the timestamp over the certificate, such as the certificate and revocation values digital signature (ES-X), and an archive timestamp on a certificate ‘pass’ (CRL/ARL), must be maintained (ES-A). The timestamp data proves “when” the signer’s during the certificate retention period; and the recom- document was signed; and the issuing agency in Japan mended format to be used is the long-term signature secures the reliability of timestamps using the certifica- format specified in the previously mentioned JIS stan- tion system. As long as an archive timestamp is affixed dards. It is also specified that the signer prepares the using an uncompromised encryption algorithm, the ES-A format for documents to be personally retained, validity period of the digital signature can be extended. and the ES-T format for documents to be externally The authenticity of the data can be proven for a long submitted. term by verifying the consistency of the digital signature, timestamp over the digital signature, and digital certifi- 3. Our Efforts cate and revocation data included in the long-term 3.1 Interoperability tests according to the JIS draft signature format. for ECOM long-term signature profile The long-term signature uses the advanced format From 2006 to 2007, ECOM conducted “Interopera- of either Cryptographic Message Syntax (CMS) or bility tests according to the JIS draft for long-term sig- Extensible Markup Language (XML), referred to as nature profiles.” Eighteen companies including Mitsu- CAdES (CMS Advanced Electronic Signatures) or bishi Electric participated in the tests, in cooperation XAdES (XML Advanced Electronic Signatures), respec- with three companies that offer the service of issuing tively, and published as standards RFC 5126[1], ETSI timestamps. The interoperability tests consist of the TS 101 733[2], and ETSI TS 101 903[3]. following two kinds of tests: (1) Off-line test to verify long-term signature format 2.2 JIS Standards for long-term signature profile ECOM prepared the long-term signature data, veri- ECOM has been working on standardizing the pro- fication data, and set-up data conforming to the JIS file for the long-term signature format as described in draft for long-term signature profiles. Products or proto- the previous section. During their activities, ECOM types of participating companies performed off-line exchanged information and opinions with ETSI to es- verification of the validity of the long-term signature tablish consistency between the profiles developed by data. The verification results were checked to deter- ECOM and the profiles specified by ETSI, and then mine if they matched ECOM’s assumptions. developed JIS drafts for the long-term signature profiles, which were eventually published as JIS X 5092[4] and (2) Product matrix interoperability test JIS X 5093[5]. Data prepared by the products (prototypes) of participating companies was verified using other compa- 2.3 Activities by JAHIS nies’ products, and the implementation of data genera- JAHIS is working to promote standardization in the tion functions and verification functions was checked to field of healthcare systems, including the standardiza- determine if they were in conformance with the JIS draft tion of electronic archiving and digital signatures to for long-term signature profiles. ECOM prepared the ensure the interoperability of healthcare information verification data and set-up data, and timestamps were systems. provided using the timestamp agencies of the three In the guideline developed by JAHIS, the digital cooperating companies. certificate for Healthcare PKI (HPKI), developed by the Ministry of Health, Labour and Welfare, is recom- Mitsubishi Electric participated in the interoperabil- mended as the digital certificate to be used for digital ity tests to confirm that both of our proprietary CAdES signatures on electronically archived medical records. and XAdES libraries were in conformance with the JIS According to the policy for the HPKI certificate, since draft for long-term signature profiles. As the first step in the qualification data is described in the digital certifi- the test, conformity of the long-term signature format cate, the hcRole attribute can be used as an extended data prepared by other companies was checked using certificate field. An important feature of this certificate is Mitsubishi’s libraries. In parallel, we also prepared that the person who is verifying the certificate can use long-term signature format data, and confirmed that our

Mitsubishi Electric ADVANCE June 2009 23 TECHNICAL REPORTS data was properly verified using the other companies’ (2) ETSI TS 101 733 V1.7.4: CMS Advanced Elec- verification mechanisms. With these results, both our tronic Signatures (CAdES) (2008) CAdES and XAdES libraries were confirmed to be in (3) ETSI TS 101 903 V1.3.2: XML Advanced Electronic conformance with the JIS draft for long-term signature Signatures (XAdES) (2006) profiles. (4) JIS X 5092: Long term signature profiles for CMS advanced electronic signatures (CAdES) (2008) 3.2 Office add-on: long-term signature application (5) JIS X 5093: Long term signature profiles for XML For the purpose of creating long-term signatures advanced electronic signatures (XAdES) (2008) directly from an application program for preparing electronic documents, we used our long-term signature libraries to develop an Office Add-on for long-term signature application for Microsoft Office® (Note 1) 2007. The Office Add-on for long-term signature application has the capability to construct and verify ES-T format data that is recommended in the JAHIS guideline for application to documents for external submis- sion. It can create CAdES data as a PDF document and XAdES data as an OpenXML document. These functions are used to create a PDF document, generate a signature for the PDF document, and affix a timestamp in the case of CAdES data; they also generate a signature for an OpenXML document created using the Of- fice application, and affix a timestamp in the case of XAdES data; and create ES-T format data for either CAdES or XAdES data. Until now, a document prepared using an Office application was printed out on paper, and then the paper document was sealed and stored. In contrast, by using the Office Add-on for long-term signature application, a long-term signature format can be constructed and verified on the Office application, allowing preparation and storage of electronic documents having legal force equivalent to the paper document. As a result, a reduction in paper consumption and administrative costs, as well as time costs, is expected by using emails and file servers for real-time data communications and data sharing.

4. Conclusion The Office Add-on for long-term signature application has wide-ranging relevance including in the healthcare field and for digital signatures on mandatory archive documents. We will further strive to integrate the long-term signature library into existing applications, enabling long-term signature generation on various products.

References (1) RFC 5126: CMS Advanced Electronic Signatures (CAdES) (2008)

Note 1: The Microsoft and Microsoft Office logo are registered trade- marks of Microsoft Corporation in the United States and other countries.